# Security Policy ## Supported Versions Security fixes are applied to the current maintained release line only. | Version | Supported | | ------- | --------- | | 1.12.x | :white_check_mark: | | < 1.12 | :x: | For current package and release history, see: - [README](README.md) - [Release notes](docs/releases/README.md) - [Vulnerability notes](VULN_NOTES.md) ## Reporting a Vulnerability If you discover a security issue in Evalanche, report it privately through **GitHub Private Vulnerability Reporting** / **GitHub Security Advisories** for this repository. Do **not** open a public GitHub issue for security vulnerabilities. Please include: - affected version - impacted module, dependency, or execution surface - reproduction steps or proof of concept - severity and likely impact - any known mitigation or suggested fix ## Response Expectations - acknowledgement within **72 hours** - initial triage or follow-up within **7 days** - coordinated disclosure after a fix or mitigation is available Security fixes are expected to ship on the active release line, with notes captured in the release docs when appropriate.